Sigma rules for CVE-2019-14287
2 rules · scoped to cve · back to CVE-2019-14287
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Linux Sudo Chroot Execution
id: f2bed782-994e-4f40-9cd5-518198cb3fba
status: experimental
description: |
Detects the execution of 'sudo' command with '--chroot' option, which is used to change the root directory for command execution.
Attackers may use this technique to evade detection and execute commands in a modified environment.
This can be part of a privilege escalation strategy, as it allows the execution of commands with elevated privileges in a controlled environment as seen in CVE-2025-32463.
While investigating, look out for unusual or unexpected use of 'sudo --chroot' in conjunction with other commands or scripts such as execution from temporary directories or unusual user accounts.
references:
- https://github.com/kh4sh3i/CVE-2025-32463/blob/81bb430f84fa2089224733c3ed4bfa434c197ad4/exploit.sh
author: Swachchhanda Shrawn Poudel (Nextron Systems)
date: 2025-10-02
tags:
- attack.privilege-escalation
- attack.t1068
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/sudo'
CommandLine|contains:
- ' --chroot '
- 'sudo -R '
condition: selection
falsepositives:
- Legitimate administrative tasks or scripts that use 'sudo --chroot' for containerization, testing, or system management.
level: low
title: Powershell Detect Virtualization Environment
id: d93129cd-1ee0-479f-bc03-ca6f129882e3
status: test
description: |
Adversaries may employ various system checks to detect and avoid virtualization and analysis environments.
This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1497.001/T1497.001.md
- https://techgenix.com/malicious-powershell-scripts-evade-detection/
author: frack113, Duc.Le-GTSC
date: 2021-08-03
modified: 2022-03-03
tags:
- attack.discovery
- attack.stealth
- attack.t1497.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_action:
ScriptBlockText|contains:
- Get-WmiObject
- gwmi
selection_module:
ScriptBlockText|contains:
- MSAcpi_ThermalZoneTemperature
- Win32_ComputerSystem
condition: all of selection*
falsepositives:
- Unknown
level: medium